Login Sign Up

CVE-2023-41969

7.3 HIGH

📋 TL;DR

This vulnerability in ZSATrayManager allows unprivileged users to delete arbitrary files by exploiting inadequate protection of temporary encrypted ZApp issue reporting files. It affects Zscaler Client Connector (ZApp) users on Windows systems. The vulnerability could lead to system instability or data loss.

💻 Affected Systems

Products:
  • Zscaler Client Connector (ZApp)
Versions: Versions before 4.3.0
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Windows versions of ZApp. Requires local user access to exploit.

📦 What is this software?

Client Connector by Zscaler

View all CVEs affecting Client Connector →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could delete critical system files, causing system crashes, data loss, or rendering the system inoperable.

🟠

Likely Case

Local users could delete application files or user data, disrupting ZApp functionality or causing application failures.

🟢

If Mitigated

With proper access controls and patching, the risk is limited to temporary file manipulation with minimal impact.

🌐 Internet-Facing: LOW - This appears to be a local privilege escalation vulnerability requiring local access.
🏢 Internal Only: MEDIUM - Internal users with local access could exploit this to disrupt systems or delete files.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires local user access but no special privileges. Exploitation likely involves manipulating temporary file handling.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.3.0 and later

Vendor Advisory: https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023

Restart Required: Yes

Instructions:

1. Download ZApp version 4.3.0 or later from Zscaler portal. 2. Run the installer. 3. Restart the system to complete installation.

🔧 Temporary Workarounds

Restrict local user permissions

windows

Limit standard user permissions to reduce ability to manipulate temporary files

Monitor file deletion events

windows

Enable auditing for file deletion in sensitive directories

auditpol /set /subcategory:"File System" /success:enable /failure:enable

🧯 If You Can't Patch

  • Implement strict access controls to limit standard user file system permissions
  • Monitor for suspicious file deletion patterns in system logs

🔍 How to Verify

Check if Vulnerable:

Check ZApp version in Windows Programs and Features or via ZApp interface. Versions below 4.3.0 are vulnerable.

Check Version:

Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "*Zscaler*"} | Select-Object Name, Version

Verify Fix Applied:

Confirm ZApp version is 4.3.0 or higher after update. Verify ZApp functions normally without file access errors.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected file deletion events in Windows Security logs
  • ZApp crash logs referencing missing files
  • Access denied errors for temporary ZApp files

Network Indicators:

  • None - this is a local file system vulnerability

SIEM Query:

EventID=4663 AND ObjectName LIKE "%ZSATrayManager%" OR EventID=4660 AND ObjectName LIKE "%ZApp%"

📊 Metadata

CVE ID: CVE-2023-41969
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
CWE: CWE-61
Published: March 26, 2024
Last Updated: October 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-41969, you might also want to check these:

CVE-2025-23394 9.8

A UNIX symbolic link following vulnerability in cyrus-imapd on openSUSE Tumbleweed allows local atta...

Same vulnerability type (CWE-61)
CVE-2024-54661 9.8

This vulnerability in socat's readline.sh script allows local privilege escalation through insecure ...

Same vulnerability type (CWE-61)
CVE-2025-55345 8.8

This vulnerability in Codex CLI allows attackers to overwrite arbitrary files and potentially achiev...

Same vulnerability type (CWE-61)